You are not logged in.

#1 2019-01-12 4:44 pm

aditsu
Member
Registered: 2018-12-25
Posts: 5

Email verification

Hi, I have a website where I let people post comments without registering (I manually approve or delete each comment). I recently started getting a little more spam, so I found Stop Forum Spam and started using it. It's a good service, although the SFS website has a lot of idiosyncrasies and typos.

SFS has helped me block a bunch of spammers, but some are still getting through. So I looked into reporting spammers as the next step. Got an API key and reported 2 spammers so far.

However, I realized that there might be a problem. Since I don't do registrations, the email addresses provided in the comment form may be trivially forged. In fact, I don't even require an email address, but spammers seem to provide one anyway. Your "Add Spam Data" form requires an email address though, so I filled it in. But I couldn't find any indication whether it has to be a verified/validated address or not. I just suspected that reporting unverified addresses could add noise and potentially block legitimate users in the worst case.

Only after digging and searching through the forums I found that you actually expect people to report only verified email addresses. You don't seem to have any measure to enforce that policy or even inform people about it. And it looks like it has already caused some problems.

If my understanding is correct, I suggest taking the following measures:
- IMMEDIATELY add a clear warning about the email address (having to be verified) to the "Add Spam Data" form and also to the API usage page
- allow reporting spam without an email address, or alternatively add a checkbox where I can specify whether the address is verified or not
- consider requiring some kind of evidence of email verification - this is more difficult

Offline

#2 2019-01-12 5:28 pm

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 2,420
Website

Re: Email verification

aditsu wrote:

I don't do registrations, the email addresses provided in the comment form may be trivially forged

Remove all your spammers (as found under My Spammers), and do so immediately. The FAQ states, and without any typos:–

The email address needs to have been verified, by sending it information that is required to complete the registration. This is to ensure that the email address is actually under the control of the spammer, and hasn't just been quoted from some public mention of it. Most forums can do email verification of this kind, though it is not always enabled by default. If yours doesn't, then you MAY NOT submit data here.

Unless and until you implement email verification you may NOT post any spammers here.

I have sent a PM to ped. If those spammers remain, then you will be blocked at the firewall. We take the cleanliness of our DB most seriously.

Offline

#3 2019-01-12 6:03 pm

sklerder
Member
Registered: 2012-10-11
Posts: 336
Website

Re: Email verification

Hello !

You wrote :

although the SFS website has a lot of idiosyncrasies and typos.

Perhaps should you detail this point ?
If you don't give more details, there's big chances these typos and idiosyncrasies will remain ...

allow reporting spam without an email address, or alternatively add a checkbox where I can specify whether the address is verified or not

It's not that simple : Modifying the form for submitting would have an impact on the API, and if the API is modified, modifications made by different authors will break.
And, from my point of view, it wouldn't be a good idea, this could lead to excessive unverified data. The goal of SFS database is to provide verified data.

Offline

#4 2019-01-12 8:06 pm

aditsu
Member
Registered: 2018-12-25
Posts: 5

Re: Email verification

Hi, thanks for the replies.

Alex wrote:

Remove all your spammers (as found under My Spammers), and do so immediately.

Done. There were only 2, now there are none.

Alex wrote:

The FAQ states, and without any typos:– ...

I checked the FAQ now by following your link, and I couldn't find any occurrence of the word "verified". Maybe I'm blind or doing something wrong, I don't know. Either way, I think the warning should be more prominent.

sklerder wrote:

although the SFS website has a lot of idiosyncrasies and typos.

Perhaps should you detail this point ?

Sure, let me mention a few:
- home page: "specialsed", "lists details known hostile and abusive addresses", "provide a all the data"
- API usage: "depreciated", "This is not standard or compliant XML" - actually it is perfectly standard and compliant XML 1.0, "the standard format this that query will return results as will XMLDOM" - sentence doesn't make sense and "XMLDOM" hasn't been defined yet, "The default format is not XML compliant" - actually it is, "depreciated" again, "The API supports HTTP however the client must support SNI" - SNI is needed for HTTPS not HTTP, "domaiNs" (capital N?), "obmitted", "epoc"
(I haven't checked other pages in detail)
- the site seems to direct people to install a plugin (apparently assuming that a plugin already exists for the user's website), the API option is harder to find, and seems to be focused on php (I'm using the API from java btw); at least it somewhat acknowledges that and the possibility of using other languages
- the forum pages have 2 search links and a search box, all of them labeled "Search"; I initially tried to use the search box to search in the forum, only to find that it lists spammer entries instead

sklerder wrote:

Modifying the form for submitting would have an impact on the API

Any modification could be done as an optional extension while keeping the old behavior by default.

sklerder wrote:

this could lead to excessive unverified data

I think it would be useful to know if an IP address has been used for spamming, with or without a verified email address. Or do you think the amount of data will be too large and put a strain on the servers?

Anyway, I noted your points, will not add any unverified email in the current system, and hope you will consider my suggestions.

Offline

#5 2019-01-12 9:11 pm

aditsu
Member
Registered: 2018-12-25
Posts: 5

Re: Email verification

In the meantime I did a google search for "The email address needs to have been verified, by sending it information that is required to complete the registration." and it listed the same FAQ page as the only result. I was able to find that text in the Google cached version of the page. But when I load the live page, it doesn't contain the "What data can I submit?" question with the answer that has that text.

Either way, I think that shouldn't be (only) in the FAQ, but in the form and the API page, as I mentioned in my first suggestion.

Offline

#6 2019-01-12 9:37 pm

Alex Kemp
Moderator
From: Nottingham, England
Registered: 2009-12-02
Posts: 2,420
Website

Re: Email verification

aditsu wrote:

I checked the FAQ now by following your link, and I couldn't find any occurrence of the word "verified"

I now cannot find it either. I copy/pasted it from the link that I copied from the address bar. I've no idea why I cannot re-find it.  I do not know how that section vanished, either. Another question for pedigree.

Offline

#7 2019-01-12 9:48 pm

kpatz
Member
Registered: 2008-10-09
Posts: 1,437

Re: Email verification

I've mentioned in the past that many of the rules for submission, which are enforced, aren't posted in a common place, especially on the submission page.  Most are buried in forum threads.

Requiring verified email addresses is one, and requiring that the spammer have posted actual spam (or placed spam links in profile/signature) on your site before submitting is another.

Anyone who initially discovers this site and starts submitting spammers may not be aware of these requirements as a result, and could be submitting tainted data unknowingly.

Last edited by kpatz (2019-01-12 9:48 pm)


Spam happens when greed meets stupidity.

Offline

#8 2019-01-13 2:35 am

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Email verification

That might be true, especially ones that don't read anything, but now the OP does know,  I do agree something clear on this should be included in the form for getting a API, in fact on the "agree to the rules" part, they should have to follow a link, read the rules, and then if they do agree, follow through with completing the API registrations. As it is now, a new user could easily say "but I did not know that", which is ok, 1 time that excuse would work, now the OP does know, and anyone else that reads this thread knows.
======= edited=====
note, it is there in the FAQ, under > What data can I submit

The database records a log of actual incidents of spam content arriving on live forums and blogs. It does not record suspicious or unwanted activity of any other kind. It is not a ban list or black list as such.

Spam submission must be triggered by a human who makes the decision to report each incident using some judgment. If it was a decision that could be made automatically by software there would be no need for this database.

Spam content is broadly defined as content that is intended to promote a product or a cause, and which is clearly unsuitable for the forum on which it is posted.

Most forums have a registration agreement which specifically excludes spam. Please ensure that your forum registration agreement is clear about this to avoid disputes about whether a post is legitimately regarded as spam.

Some common forms of spam include:

    A promotional/commercial but irrelevant web link in a profile signature or elsewhere in a profile.
    A post discussing the merits of a product or service, typically with one or more web links (which may or may not be easy for a human reader to spot)
    A post containing just one or more web links
    A post consisting of gibberish text apparently on some kind of theme, with links buried in it
    A post advertising a (frequently illegal or semi-legal) service containing contact mobile phone numbers or a post box address.
    A post by someone apparently responding to a question requesting product suggestions (from an accomplice) with a link to something they 'found'. (These are harder to spot unless you know what you're looking for).


Spammers will think of other forms, which are submittable if they meet the broad definition above. Not all posts that meet any of the above definitions need be regarded as spam. Some judgment is required.

Common forms of non-spam (that can't be submitted) include:

    Suspicious registrations - even those already listed in the database
    Hacking attempts
    Posts that are merely offensive

* None of these are sufficient because they do not contain spam material.

The content of spam posts should be submitted as evidence where practicable, but this is not required.

A spam report without evidence that is challenged by the reported spammer is more likely to be removed than one with evidence.

A spam submission here needs:

    the registration user name
    the IP address
    the email address
    preferably spam content as evidence.

Note

    The IP must be the actual IP used to contact the forum or blog. If your forum is behind a reverse proxy such as Cloudflare, you'll need to find the origin IP to submit. If a visit comes from a web proxy or other service, you report the web proxy IP, not the IP address that it may claim it is forwarding for.
    If you're using a recommended forum plugin with a 'submit to stopforumspam' button, it should be taking care of this for you.
    The email address needs to have been verified, by sending it information that is required to complete the registration. This is to ensure that the email address is actually under the control of the spammer, and hasn't just been quoted from some public mention of it. Most forums can do email verification of this kind, though it is not always enabled by default. If yours doesn't, then you MAY NOT submit data here.

Spammers occasionally use different IPs for registration and spam posting. You can report either or both as convenient. To report both, you will need to make the same submission twice specifying different IPs. Include evidence only with the submission for the actual post. This is only relevant if you're doing manual submission via the webform on this site, or building a forum plugin.

    The email address needs to have been verified, by sending it information that is required to complete the registration. This is to ensure that the email address is actually under the control of the spammer, and hasn't just been quoted from some public mention of it. Most forums can do email verification of this kind, though it is not always enabled by default. If yours doesn't, then you MAY NOT submit data here.

Offline

#9 2019-01-13 4:31 am

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 7,054

Re: Email verification

you have no submissions to remove but please do not add a record without a verified email address. unverified data is NOT permitted

Offline

#10 2019-01-13 8:23 am

aditsu
Member
Registered: 2018-12-25
Posts: 5

Re: Email verification

kpatz wrote:

many of the rules for submission, which are enforced, aren't posted in a common place, especially on the submission page.

Anyone who initially discovers this site and starts submitting spammers may not be aware of these requirements as a result, and could be submitting tainted data unknowingly.

I couldn't agree more!

Papa Parrot wrote:

now the OP does know

Now yes, but initially I didn't, and the same thing can happen with any new user.

Papa Parrot wrote:

something clear on this should be included in the form for getting a API

You mean an API key? Yes, the sign up form is another good place to mention it.

Papa Parrot wrote:

As it is now, a new user could easily say "but I did not know that", which is ok

Well, they could be adding a thousand spammers with unverified addresses and still not know that there's any problem, unless they happen to read about it in the forum, or to think about how SFS really works and search and/or ask about it like I did.

Papa Parrot wrote:

note, it is there in the FAQ, under > What data can I submit

Already discussed in comments #2, #4, #5 and #6

pedigree wrote:

you have no submissions to remove

That's because I already removed them.

pedigree wrote:

unverified data is NOT permitted

Ok, but that should be made clear on the website.

Offline

#11 2019-01-13 8:50 am

kpatz
Member
Registered: 2008-10-09
Posts: 1,437

Re: Email verification

note, it is there in the FAQ, under > What data can I submit

That wasn't there 24 hours ago.  Was it just added?

The entire FAQ needs revamping anyway.

The new API key page, as well as the submit page, should mention these rules as well, or at least provide a clearly marked link to them.


Spam happens when greed meets stupidity.

Offline

#12 2019-01-13 8:55 am

aditsu
Member
Registered: 2018-12-25
Posts: 5

Re: Email verification

kpatz wrote:

That wasn't there 24 hours ago.  Was it just added?

I still don't see it. It seems that different people (and sometimes the same people at different times) see different versions of the FAQ page. Also see comment #6.

Offline

#13 2019-01-13 2:37 pm

zero-tolerance
Member
Registered: 2013-02-25
Posts: 339

Re: Email verification

I don't see it either. However the long and detailed section that Papa Parrot posted above has been part of the FAQ in that form for most of the last year. But it seems to be missing at the moment.
Speculation: is it currently visible only to staff members? (A staff member could check this by looking again whilst logged out). I've tried using various browsers and various IP locations but I'm not seeing it through any of them. The rest of the FAQ seems to be there, but that section is not.

Offline

#14 2019-01-13 3:00 pm

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Email verification

(A staff member could check this by looking again whilst logged out).

I tried, and still do see it.  It does seem odd though that some people see it and others don't,
I don't know what to think or say on that,

Offline

#15 2019-01-13 3:08 pm

zero-tolerance
Member
Registered: 2013-02-25
Posts: 339

Re: Email verification

Currently under Do's and Don'ts I see 3 expandable items:

    How we prefer not to see the data used and why
    Not all IP addresses are equal
    What you should think about using the data for

Under the English section I see 12 expandable items:

What do we do?
How can I see this information?
I'm listed on your site but Im not a spammer
What do we do?
How can I tell if someone is a spammer?
I run a network. Can you notify me if we get listed?
Can I help?
How can I help?
How much does it cost?
How can you support me?
I'm going to sue you for listing me!
Who has helped you?

If it's not a permission issue perhaps it's a stale cache at CF or something.

Offline

#16 2019-01-13 3:12 pm

kpatz
Member
Registered: 2008-10-09
Posts: 1,437

Re: Email verification

Currently under Do's and Don'ts I see 3 expandable items:

    How we prefer not to see the data used and why
    Not all IP addresses are equal
    What you should think about using the data for

This is what I see now.  I did see "What data can I submit?" as a 4th item yesterday.  It's like a mystery novel.  The mysterious disappearing FAQ.

EDIT:  First time I clicked the FAQ this morning, from the top menu bar, that item did not appear.  Then I clicked the link in Papa Parrot's post, and the item now appears again.  And it also appears again when I click the FAQ link.  It's some sort of weird caching issue.

The only difference in the links is one has a # on the end and one does not.

Link from menu bar: https://www.stopforumspam.com/faq
Link from PP's post: https://www.stopforumspam.com/faq#

Last edited by kpatz (2019-01-13 3:17 pm)


Spam happens when greed meets stupidity.

Offline

#17 2019-01-13 3:22 pm

zero-tolerance
Member
Registered: 2013-02-25
Posts: 339

Re: Email verification

Neither link shows me the fourth item. But yes, it does look like a caching issue.

Last edited by zero-tolerance (2019-01-13 3:24 pm)

Offline

#18 2019-01-13 9:40 pm

Papa Parrot
Member
From: Mexico
Registered: 2011-08-19
Posts: 1,826
Website

Re: Email verification

Hmm, Ok, Well I can now confirm, as well, sometimes it is their and just now when I looked, it is NOT their, also
when I selected the English option, it does not appear to be the same as what I saw yesterday,..
That is strange, Pedigree well need to look at this and see if he can figure it out. I don't think it has all ways been this way, last time I looked at the FAQ was several months ago, and I did not notice anything like this.
======== edit ====
After logging out, and back in again, now it is there, ..... any way , this is not the way it is supposed to be, it should all ways be there.

Offline

#19 2019-01-14 12:13 am

pedigree
uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
From: New Zealand
Registered: 2008-04-16
Posts: 7,054

Re: Email verification

Time to check out the caches/language files again I see

Offline

Board footer

Powered by FluxBB

Close
Close